Counting the cost

12 April 2018

This article was featured in the May 2018 issue of the magazine.

Lisa Gillespie, human resources director at Moorepay, contends that HR must get deeply involved in delivering cyber security in the workplace

The impending introduction of the General Data Protection Regulation on 25 May means the cost of poor cyber security is about to rocket, with lost, hacked, stolen and badly-managed data liable to cost your business up to £17 million (€20 million) or four per cent of global turnover in fines. 

These are serious figures, but many in human resources (HR) would assume – and be forgiven for assuming – that preventing cyber-attacks is not their responsibility. Of course, it’s down to IT to sort all that stuff out, right? 

No, I’m afraid that’s not the case. Let’s look at the origins of the word ‘cyber’. It comes from the Greek ‘cybernetic’, meaning ‘skilled in steering or governing’. When you think about the function of HR in an organisation this becomes more obvious. 


...truth is that those delightful humans you employ – not hackers – are the greatest threat to your cyber security


It is HR’s role to steer and/or govern the organisation’s culture, using policies and compliance mechanisms to ensure the right behaviours are embedded, trained-in, kept up-to-date and upheld consistently across the human resource. 

Because the truth is that those delightful humans you employ – not hackers – are the greatest threat to your cyber security. 

There are plenty of research papers and studies on the subject and the findings are the same regardless of which ones you read. So, let’s take a look at the top causes of data breaches:

  • The Association of Corporate Counsel ( released a report last year which said 62 per cent of small- to medium-size enterprises had experienced cyber-attacks – and human error was the leading cause.

  • In another report, 42 percent of contributors blamed end-user failure to follow policies and procedures. Carelessness, failure to recognise or be alert to new threats, and a lack of expertise with websites/applications were also cited.

Every single one of these reasons can be traced back to HR’s responsibility to communicate security standards and maintain them. 

Of course, if IT staff fail to follow policies and procedures this can significantly increase risk as they have responsibility to put adequate protections in place to reduce exposure. But they are only the failover: HR is the gatekeeper. (‘Failover’ is a procedure by which a system automatically transfer control to a duplicate system when it detects a fault or failure.)

The Information Commissioner’s Office (ICO) publishes quarterly statistics about the main causes of reported data security incidents. In the last published quarter, the top five causes in cases where the ICO took action involved human errors or process failures, all of which were avoidable. 

Think about the following behaviours – could they be happening in your organisation?

  • loss or theft of paperwork 

  • data posted or faxed to incorrect recipient 

  • data sent by email to incorrect recipients

  • insecure web pages 

  • loss or theft of an unencrypted device.

For many months I have been advising HR professionals and senior executives to ensure that GDPR is on the agenda at every board meeting, because every business needs to get their house in order before May. 

In particular, HR needs to think about cyber security much as it does about general health and safety management systems, because it’s all about mitigating risk. Risks will always exist, and it is what you do to minimise them that matters most. 

Any organisation unfortunate enough to experience a data breach can only defend any legal action against itself in the context of what it did to avoid or minimise the attack, and that all comes back to good governance. 

But if I have still not convinced you here’s some more food for thought. The Chartered Institute of Professional Development collaborated with the government to produce a very informative – and free – e-learning course on HR’s role in leading cyber security. You can see for yourself: